Provision and manage accounts in AWS Control Tower
This chapter includes an overview and procedures for provisioning and managing member accounts in your AWS Control Tower landing zone.
It also includes an overview and procedures for enrolling an existing AWS account into AWS Control Tower.
For more information about accounts in AWS Control Tower, see About AWS accounts in AWS Control Tower. For information about enrolling multiple acounts into AWS Control Tower, see Register an existing organizational unit with AWS Control Tower.
Note
You can perform up to five (5) account-related operations concurrently, including provisioning, updating, and enrolling.
What happens when AWS Control Tower creates an account
New accounts in AWS Control Tower are created and then provisioned by an interaction among AWS Control Tower, AWS Organizations, and AWS Service Catalog. For steps to enroll an existing AWS account using the AWS Control Tower console, see Enroll an existing account.
Behind the scenes of account creation
-
You initiate the request, for example, from the AWS Control Tower Account Factory page, or directly from the AWS Service Catalog console, or by calling the Service Catalog
ProvisionProductAPI. -
AWS Service Catalog calls AWS Control Tower.
-
AWS Control Tower begins a workflow, which as a first step calls the AWS Organizations
CreateAccountAPI. -
After AWS Organizations creates the account, AWS Control Tower completes the provisioning process by applying blueprints and controls.
-
Service Catalog continues to poll AWS Control Tower to check for completion of the provisioning process.
-
When the workflow in AWS Control Tower is complete, Service Catalog finalizes the account's state and informs you (the requester) of the result.
Security for your accounts
You can find guidance about best practices to protect the security of your AWS Control Tower management account and member accounts in the AWS Organizations documentation.
